NtCreateUserProcess 参数

最新推荐文章于 2025-03-18 17:27:01 发布
最新推荐文章于 2025-03-18 17:27:01 发布
阅读量2.2k 收藏
点赞数
分类专栏: windows 调试

转载自:https://github.com/cuckoosandbox/monitor/blob/master/sigs/process_native.rst

Signature:

* Calling convention: WINAPI
* Category: process
* Library: ntdll
* Return value: NTSTATUS

NtCreateProcess

Parameters:

** PHANDLE ProcessHandle process_handle
** ACCESS_MASK DesiredAccess desired_access
*  POBJECT_ATTRIBUTES ObjectAttributes
** HANDLE ParentProcess parent_process_handle
** BOOLEAN InheritObjectTable inherit_handles
*  HANDLE SectionHandle
*  HANDLE DebugPort
*  HANDLE ExceptionPort

Flags:

desired_access

Pre:

wchar_t *filepath = get_unicode_buffer();
path_get_full_path_objattr(ObjectAttributes, filepath);

wchar_t *filepath_r = extract_unicode_string_objattr(ObjectAttributes);

Interesting:

u filepath
i desired_access
i inherit_handles

Middle:

uint32_t pid = pid_from_process_handle(copy_ptr(ProcessHandle));

Logging:

i process_identifier pid
u filepath filepath
u filepath_r filepath_r
i stack_pivoted exploit_is_stack_pivoted()

Post:

if(NT_SUCCESS(ret) != FALSE) {
    pipe("PROCESS:%d", pid);
    sleep_skip_disable();
}

free_unicode_buffer(filepath);
free_unicode_buffer(filepath_r);

NtCreateProcessEx

Parameters:

** PHANDLE ProcessHandle process_handle
** ACCESS_MASK DesiredAccess desired_access
*  POBJECT_ATTRIBUTES ObjectAttributes
** HANDLE ParentProcess parent_process_handle
** ULONG Flags flags
*  HANDLE SectionHandle
*  HANDLE DebugPort
*  HANDLE ExceptionPort
*  BOOLEAN InJob

Flags:

desired_access

Pre:

wchar_t *filepath = get_unicode_buffer();
path_get_full_path_objattr(ObjectAttributes, filepath);

wchar_t *filepath_r = extract_unicode_string_objattr(ObjectAttributes);

Interesting:

u filepath
i desired_access
i flags

Middle:

uint32_t pid = pid_from_process_handle(copy_ptr(ProcessHandle));

Logging:

i process_identifier pid
u filepath filepath
u filepath_r filepath_r
i stack_pivoted exploit_is_stack_pivoted()

Post:

if(NT_SUCCESS(ret) != FALSE) {
    pipe("PROCESS:%d", pid);
    sleep_skip_disable();
}

free_unicode_buffer(filepath);
free_unicode_buffer(filepath_r);

NtCreateUserProcess

Signature:

* Prune: resolve

Parameters:

** PHANDLE ProcessHandle process_handle
** PHANDLE ThreadHandle thread_handle
** ACCESS_MASK ProcessDesiredAccess desired_access_process
** ACCESS_MASK ThreadDesiredAccess desired_access_thread
*  POBJECT_ATTRIBUTES ProcessObjectAttributes
*  POBJECT_ATTRIBUTES ThreadObjectAttributes
** ULONG ProcessFlags flags_process
** ULONG ThreadFlags flags_thread
*  PRTL_USER_PROCESS_PARAMETERS ProcessParameters
*  PPS_CREATE_INFO CreateInfo
*  PPS_ATTRIBUTE_LIST AttributeList

Flags:

desired_access_process
desired_access_thread

Pre:

wchar_t *process_name = get_unicode_buffer();
path_get_full_path_objattr(ProcessObjectAttributes, process_name);

wchar_t *process_name_r =
    extract_unicode_string_objattr(ProcessObjectAttributes);

wchar_t *thread_name = get_unicode_buffer();
path_get_full_path_objattr(ThreadObjectAttributes, thread_name);

wchar_t *thread_name_r =
    extract_unicode_string_objattr(ThreadObjectAttributes);

wchar_t *filepath =
    extract_unicode_string_unistr(&ProcessParameters->ImagePathName);  // db poi(poi(esp+ 0x24)+ 0x3c)
wchar_t *command_line =
    extract_unicode_string_unistr(&ProcessParameters->CommandLine);

Middle:

uint32_t pid = pid_from_process_handle(copy_ptr(ProcessHandle));
uint32_t tid = tid_from_thread_handle(copy_ptr(ThreadHandle));

Logging:

i process_identifier pid
i thread_identifier tid
u process_name process_name
u process_name_r process_name_r
u thread_name thread_name
u thread_name_r thread_name_r
u filepath filepath
u command_line command_line
i stack_pivoted exploit_is_stack_pivoted()

Post:

if(NT_SUCCESS(ret) != FALSE) {
    pipe("PROCESS2:%d,%d,%d", pid, tid, HOOK_MODE_ALL);
    sleep_skip_disable();
}

free_unicode_buffer(process_name);
free_unicode_buffer(process_name_r);
free_unicode_buffer(thread_name);
free_unicode_buffer(thread_name_r);
free_unicode_buffer(filepath);
free_unicode_buffer(command_line);

RtlCreateUserProcess

Parameters:

*  PUNICODE_STRING ImagePath
** ULONG ObjectAttributes flags
*  PRTL_USER_PROCESS_PARAMETERS ProcessParameters
*  PSECURITY_DESCRIPTOR ProcessSecurityDescriptor
*  PSECURITY_DESCRIPTOR ThreadSecurityDescriptor
** HANDLE ParentProcess parent_process_handle
** BOOLEAN InheritHandles inherit_handles
*  HANDLE DebugPort
*  HANDLE ExceptionPort
*  PRTL_USER_PROCESS_INFORMATION ProcessInformation

Pre:

wchar_t *filepath = get_unicode_buffer();
path_get_full_path_unistr(ImagePath, filepath);

wchar_t *filepath_r = extract_unicode_string_unistr(ImagePath);

Interesting:

u filepath
i flags
i inherit_handles

Middle:

uint32_t pid = 0, tid = 0;
if(ProcessInformation != NULL) {
    pid = pid_from_process_handle(copy_ptr(&ProcessInformation->ProcessHandle));
    tid = tid_from_thread_handle(copy_ptr(&ProcessInformation->ThreadHandle));
}

Logging:

i process_identifier pid
i thread_identifier tid
u filepath filepath
u filepath_r filepath_r
i stack_pivoted exploit_is_stack_pivoted()

Post:

if(NT_SUCCESS(ret) != FALSE) {
    pipe("PROCESS2:%d,%d,%d", pid, tid, HOOK_MODE_ALL);
    sleep_skip_disable();
}

free_unicode_buffer(filepath);
free_unicode_buffer(filepath_r);

NtOpenProcess

Parameters:

** PHANDLE ProcessHandle process_handle
** ACCESS_MASK DesiredAccess desired_access
*  POBJECT_ATTRIBUTES ObjectAttributes
*  PCLIENT_ID ClientId

Flags:

desired_access

Ensure:

ClientId

Logging:

i process_identifier copy_uint32(&ClientId->UniqueProcess)

NtTerminateProcess

Signature:

* Prelog: instant

Parameters:

** HANDLE ProcessHandle process_handle
** NTSTATUS ExitStatus status_code

Pre:

uint32_t pid = pid_from_process_handle(ProcessHandle);

// If the process handle is a nullptr then it will kill all threads in
// the current process except for the current one. TODO Should we have
// any special handling for that? Perhaps the unhook detection logic?
if(ProcessHandle != NULL) {
    pipe("KILL:%d", pid);
}

Logging:

i process_identifier pid

NtCreateSection

Parameters:

** PHANDLE SectionHandle section_handle
** ACCESS_MASK DesiredAccess desired_access
*  POBJECT_ATTRIBUTES ObjectAttributes
*  PLARGE_INTEGER MaximumSize
** ULONG SectionPageProtection protection
*  ULONG AllocationAttributes
** HANDLE FileHandle file_handle

Flags:

desired_access

Pre:

wchar_t *section_name = extract_unicode_string_objattr(ObjectAttributes);

HANDLE object_handle = NULL; OBJECT_ATTRIBUTES objattr;

if(ObjectAttributes != NULL && copy_bytes(
        &objattr, ObjectAttributes, sizeof(OBJECT_ATTRIBUTES)) == 0) {
    object_handle = objattr.RootDirectory;
}

Logging:

p object_handle object_handle
u section_name section_name

Post:

free_unicode_buffer(section_name);

NtMakeTemporaryObject

Parameters:

** HANDLE ObjectHandle handle

NtMakePermanentObject

Parameters:

** HANDLE ObjectHandle handle

NtOpenSection

Parameters:

** PHANDLE SectionHandle section_handle
** ACCESS_MASK DesiredAccess desired_access
*  POBJECT_ATTRIBUTES ObjectAttributes

Flags:

desired_access

Pre:

wchar_t *section_name = extract_unicode_string_objattr(ObjectAttributes);

Logging:

u section_name section_name

Post:

free_unicode_buffer(section_name);

NtUnmapViewOfSection

Parameters:

** HANDLE ProcessHandle process_handle
** PVOID BaseAddress base_address

Pre:

MEMORY_BASIC_INFORMATION_CROSS mbi; uintptr_t region_size = 0;
if(virtual_query_ex(ProcessHandle, BaseAddress, &mbi) != FALSE) {
    region_size = mbi.RegionSize;
}

Logging:

i process_identifier pid_from_process_handle(ProcessHandle)
l region_size region_size

NtAllocateVirtualMemory

Signature:

* Mode: exploit

Parameters:

** HANDLE ProcessHandle process_handle
** PVOID *BaseAddress base_address
*  ULONG_PTR ZeroBits
** PSIZE_T RegionSize region_size
** ULONG AllocationType allocation_type
** ULONG Protect protection

Flags:

protection
allocation_type

Pre:

void *orig_base_address = copy_ptr(BaseAddress);

Logging:

i stack_pivoted exploit_is_stack_pivoted()
i stack_dep_bypass exploit_makes_stack_executable(ProcessHandle, orig_base_address, Protect)
i heap_dep_bypass exploit_makes_heap_executable(ProcessHandle, orig_base_address, Protect)
i process_identifier pid_from_process_handle(ProcessHandle)

NtReadVirtualMemory

Parameters:

** HANDLE ProcessHandle process_handle
** LPCVOID BaseAddress base_address
*  LPVOID Buffer
*  SIZE_T NumberOfBytesToRead
*  PSIZE_T NumberOfBytesReaded

Ensure:

NumberOfBytesReaded

Logging:

B buffer NumberOfBytesReaded, Buffer

NtWriteVirtualMemory

Parameters:

** HANDLE ProcessHandle process_handle
** LPVOID BaseAddress base_address
*  LPCVOID Buffer
*  SIZE_T NumberOfBytesToWrite
*  PSIZE_T NumberOfBytesWritten

Ensure:

NumberOfBytesWritten

Logging:

i process_identifier pid_from_process_handle(ProcessHandle)
!B buffer NumberOfBytesWritten, Buffer

NtProtectVirtualMemory

Signature:

* Mode: exploit

Parameters:

** HANDLE ProcessHandle process_handle
** PVOID *BaseAddress base_address
** PSIZE_T NumberOfBytesToProtect length
** ULONG NewAccessProtection protection
*  PULONG OldAccessProtection

Flags:

protection

Pre:

void *orig_base_address = copy_ptr(BaseAddress);

Logging:

i stack_pivoted exploit_is_stack_pivoted()
i stack_dep_bypass exploit_makes_stack_executable(ProcessHandle, orig_base_address, NewAccessProtection)
i heap_dep_bypass exploit_makes_heap_executable(ProcessHandle, orig_base_address, NewAccessProtection)
i process_identifier pid_from_process_handle(ProcessHandle)

NtFreeVirtualMemory

Parameters:

** HANDLE ProcessHandle process_handle
** PVOID *BaseAddress base_address
** PSIZE_T RegionSize size
** ULONG FreeType free_type

Logging:

i process_identifier pid_from_process_handle(ProcessHandle)

NtMapViewOfSection

Parameters:

** HANDLE SectionHandle section_handle
** HANDLE ProcessHandle process_handle
** PVOID *BaseAddress base_address
*  ULONG_PTR ZeroBits
** SIZE_T CommitSize commit_size
** PLARGE_INTEGER SectionOffset section_offset
** PSIZE_T ViewSize view_size
*  UINT InheritDisposition
** ULONG AllocationType allocation_type
** ULONG Win32Protect win32_protect

Flags:

allocation_type
win32_protect

Middle:

uintptr_t buflen = 0; uint8_t *buffer = NULL;

uint32_t pid = pid_from_process_handle(ProcessHandle);

if(NT_SUCCESS(ret) != FALSE && pid != get_current_process_id()) {

    // The actual size of the mapped view.
    buflen = *ViewSize;

    // As it is non-trivial to extract the base address of the original
    // mapped section, we'll just go ahead and read the memory from the
    // remote process.
    buffer = mem_alloc(buflen);
    if(buffer != NULL) {
        virtual_read_ex(ProcessHandle, *BaseAddress, buffer, &buflen);
    }
}

Logging:

i process_identifier pid
!b buffer buflen, buffer

Post:

if(NT_SUCCESS(ret) != FALSE) {
    pipe("PROCESS:%d", pid);
    sleep_skip_disable();
}

mem_free(buffer);
NtCreateUserProcess 初探与玩法
stopys6的博客
09-13 386
/要注意的是我们每添加一个新属性,都需要将PS_ATTRIBUTE增大,因为调用RtlAllocateHeap要为PS_ATTRIBUTE分配足够的内存空间最后NtCreateUserProcess其实很多CreateProcess的项目,就比如ppid也有用CreateProcess写的,都可以加以改变改成用NtCreateUserProcess操作的,就可以把一个很简单的被查杀CreateProcess进行一个免杀保护了。(当然也不是都能改的具体情况具体分析)
NtCreateUserProcess 初探与玩法2
woshiyanfu的博客
09-26 152
/要注意的是我们每添加一个新属性,都需要将PS_ATTRIBUTE增大,因为调用RtlAllocateHeap要为PS_ATTRIBUTE分配足够的内存空间最后NtCreateUserProcess其实很多CreateProcess的项目,就比如ppid也有用CreateProcess写的,都可以加以改变改成用NtCreateUserProcess操作的,就可以把一个很简单的被查杀CreateProcess进行一个免杀保护了。(当然也不是都能改的具体情况具体分析)
开源宝藏:Django与Next.js的完美融合
gitblog_00025的博客
06-22 377
开源宝藏:Django与Next.js的完美融合 django-nextjs Next.js integration for Django projects 项目地址: https://gitcode.com/gh_mirrors/dj/django-nextjs...
浅析封装NT函数绕过检测机制与免杀技术
最新发布
moonlightsunshin的博客
03-18 949
NT函数(即“Native”函数)是微软Windows操作系统内部提供的一组底层系统调用,这些函数位于NT层,也称为Windows NT内核层。这些函数直接与操作系统的内核交互,提供了底层的操作功能,比如内存管理、线程管理、进程创建等。与之相对的是Windows API,后者是为用户应用程序提供的更高级接口。NT函数的调用通常直接通过ntdll.dll库中的相关函数来实现。
CreateProcessAsUser
君子居易
07-23 8584
该CreateProcessAsUser函数创建一个新的进程及其主线程。新进程然后执行指定的可执行文件。该CreateProcessAsUser功能类似的CreateProcess函数,除了新进程运行在由hToken参数表示的用户的安全上下文中。默认情况下,新进程是非交互式的,即它运行在不可见且无法接收用户输入的桌面上。此外,默认情况下,新进程继承调用进程的环境,而不是与指定用户关联的环境。 BOOL CreateProcessAsUser( HANDLEhToken, // 处理代表..
NtCreateUserProcess
03-11
NtCreateUserProcess是Windows操作系统中的一个系统调用函数,用于创建一个新的用户进程。它是Windows内核提供的一种机制,用于创建和初始化一个新的用户进程,并将其加载到内存中执行。 该函数的原型如下: ...
浅谈EDR绕过
hongduilanjun的博客
09-14 2053
我们知道一般EDR对可疑程序进行监控一般都会采用往程序里注入到检测的进程中,通过hook一些敏感的3环API来判断程序是否进行一些恶意操作,那么我们可以通过添加流程缓解措施和漏洞利用保护参考来实现保护,从而防止EDR的dll注入对进程进行检测。
C语言进程隐藏NTOpenprocess,64位下Hook NtOpenProcess的实现进程保护 + 源码 (升级篇 )...
weixin_32893479的博客
05-23 987
【PS: 如果在64位系统下,出现调用测试demo,返回false的情况下,请修改Hook Dll的代码】glhHook = SetWindowsHookEx(WH_SHELL,ShellHookProc, 0 , 0);//改成跟X86下一样的glhHook = SetWindowsHookEx(WH_SHELL,ShellHookProc,glhInstance, 0);2013.09.11...
Windows 进程的创建和终止
m0_56069948的博客
07-15 815
创建一个继承需要考虑非常多的点,从用户模式到内核模式的转换,内核对象的构建再回到用户模式与子系统的通信。这个部分牵涉到的内容非常多,也非常值得详细研究。先了解大框架,再来细化其中的每个点。httpshttpshttpshttps。...
(转)NtCreateUserProcess参数
weixin_30885111的博客
01-07 389
http://www.skyfishes.com/vc/ntcreateuserprocess/   最近有个程序需要修改子进程的父进程来达到隐藏自身的效果,本来Hook NtCreateProcessEx简单搞定,结果发现Win7下断不下来  果断谷歌,发现Vista之后CreateProcess不再经过NtCreateProcessEx,而是调用NtCreateUserProces...
hook CreateProcessInternal
07-02
利用inline hook技术挂钩CreateProcessInternal,win7 32/64代码均有
X64 inline hook CreateProcessInternalW
11-24
X64 inline hook explorer.exe-->CreateProcessInternalW监视进程创建. vc2008+WIN7 64测试通过.
全局 Hook CreateProcessInternalW 测试 VB版.rar
07-09
纯VB全局 Hook CreateProcessInternalW 测试——进程防火墙,可拦截进程,程序主要是安装一个消息钩子,然后和主程序通讯,可以拦截控制台程序(做了递归注入),搞这些东西好像现在也没什么实际意义,代码写的也乱糟糟的,主要就是闲得慌,纯娱乐一下。
进程创建过程分析NtCreateProcess-NtCreateProcessEx-PspCreateProcess
xrzh8989的专栏
04-04 4098
转自 http://www.blogfshare.com/createprocess-analyse.html  进程创建过程分析NtCreateProcess-NtCreateProcessEx-PspCreateProcess AloneMonkey 2014年7月26日 0 在内核中,windows创建一个进程的过程是从NtCreateProce
[转载]关于NtCreateUserProcess和NtCreateThreadEx的参数
angbagangzhe065140的博客
02-10 906
转自: http://hi.baidu.com/zzzevazzz/item/b2a9c9a4ea6805f615329ba7 这两个Vista新增的系统服务函数原型未公开,目前网上搜索到的资料有些问题,特别是对于最后一个参数的描述不确切。 首先说NtCreateUserProcess。网上找到的函数原型如下: DWORD newNtCreateUserProcess(PVOID ...
CreateProcess 内部实现
点点灵犀
02-19 2898
*ReactOS学习笔记* CreateProcess 内部实现 调用CreateProcessW    调用CreateProcessInternalW       参数检查       获取进程文件路径       调用BasepMapFile映射文件(内部调用NtCreateSection)       判断是否是一个DLL文件       判断子系统类型(只能是
od结构体大小_[求助]ZwCreateUserProcess第10个参数结构
weixin_36382073的博客
01-12 516
// privatetypedef enum _PS_ATTRIBUTE_NUM{PsAttributeParentProcess, // in HANDLEPsAttributeDebugPort, // in HANDLEPsAttributeToken, // in HANDLEPsAttributeClientId, // out PCLIENT_IDPsAttributeTebAddre...
CreateProcess进程创建的内核跟踪分析
zjw1989
09-12 1071
<br />*[标题]:CreateProcess进程创建的内核跟踪分析<br />*[作者]:gz1X [gz1x(at)tom(dot)com]<br />*[来自]:中国黑客联盟 [CHU]<br /><br />    <br />*[正文]:<br /><br /><br />[实现流程]<br />——————————————————————<br />1.打开需要执行的文件(.exe);<br />2.创建执行体进程对象; //<-------重点<br />3.创建初始线程; /
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值